QRadar Network Packet Capture Query Language (NTQL)
Use the QRadar® Network Packet Capture Query Language (NTQL) to retrieve data from packets that are captured.
For example, you can use NTQL for the following types of information:
- IPv4 host addresses, as source, destination or either
- IPv6 host addresses, as source, destination or either
- TCP or UDP port numbers, as source, destination or either
- Layer 3 protocol carried by Ethernet frames
- Layer 4 protocol carried by IP packages
- Combinations of these with logical
and
andor
Note: NTQL is case sensitive.
Matching everything
An empty NTQL string matches all packets, which is useful when the number of matches is limited.
Host address search
To search for packets sent to a specific host, enter the following
string:
src host <IP address>
To search for packets sent from a
host, enter the following string:dst host <IP address>
Port number search
To search for packets that were sent to or from a TCP or UDP port, enter the following
string:
port <number>
Packets that are sent by using protocols
that have no port numbers are discarded by this search.To narrow down the search results to packets that were sent from a specific port, enter the
following string:
src port <number>
To search for packets that
were sent to a specific port, enter the following
string:dst port <number>
Layer 3 protocol search
To search for packets that use a specific layer 3 protocol, enter the following
string:
l3proto <protocol>
where
<protocol>
is either a protocol number or a name. These are the
supported protocol names:arp
ip
ip4
ip6
ipv4
ipv6
lldp
ptp
ip
is given as protocol, IPv4 is used.Layer 4 protocol search
To search for packets that use a specific layer 4 protocol, enter the following
string:
l4proto <protocol>
where
<protocol>
is either a protocol number or a name. These are the
supported names: 3pc
ah
argus
aris
ax.25
bbn-rcc-mon
bna
br-sat-mon
cbt
cftp
chaos
compaq-peer
cphb
cpnx
crtp
crudp
dccp
dcn-meas
ddp
ddx
dgp
egp
eigrp
emcon
encap
esp
etherip
fc
fire
ggp
gmtp
gre
hip
hmp
hopopt
i-nlsp
iatp
icmp
idpr
idpr-cmtp
idrp
ifmp
igmp
igp
il
ip-in-ip
ipcomp
ipcu
ipip
iplt
ippc
iptm
ipv6
ipv6-frag
ipv6-icmp
ipv6-nonxt
ipv6-opts
ipv6-route
ipx-in-ip
irtp
iso-ip
iso-tp4
kryptolan
l2tp
larp
leaf-1
leaf-2
manet
merit-inp
mfe-nsp
mhrp
micp
mobile
mobility-header
mpls-in-ip
mtp
mux
narp
netblt
nsfnet-igp
nvp-ii
ospf
pgm
pim
pipe
pnni
prm
ptp
pup
pvp
qnx
rdp
rohc
rsvp
rsvp-e2e-ignore
rvd
sat-expak
sat-mon
scc-sp
scps
sctp
sdrp
secure-vmtp
shim6
skip
sm
smp
snp
sprite-rpc
sps
srp
sscopmce
st
stp
sun-nd
swipe
tcf
tcp
tlsp
tp++
trunk-1
trunk-2
ttp
udp
udplite
uti
vines
visa
vmtp
vrrp
wb-expak
wb-mon
wesp
wsn
xnet
xns-idp
xtp
Combining search terms
These search terms can be combined into more complex expressions withand
and or
keywords. For
example, to search for packets to or from 1.1.1.1
or
2.2.2.2
, enter the following
string:host 1.1.1.1 or host 2.2.2.2
To search for packets that are both
to and from 1.1.1.1
or 2.2.2.2
, enter the following
string:host 1.1.1.1 and host 2.2.2.2
These keywords are left
associative. For example, consider the following
syntax:port 42 and host 1.1.1.1 or host 2.2.2.2
The expression evaluates
to the following:- sent to or from port 42 and to or from host
1.1.1.1
, or - to or from host
2.2.2.2
without regard for the port numbers
port 42 and (host 1.1.1.1 or host 2.2.2.2)
The expression
evaluates to find packets to or from port 42 that are to or from host 1.1.1.1
or 2.2.2.2
.